MagicMirror Server-Side Request Forgery Vulnerability in CORS Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in MagicMirror versions prior to 2.36.0. The vulnerability exists in the '/cors' endpoint, which acts as an open HTTP proxy without authentication or URL validation. This allows remote attackers to make arbitrary HTTP requests from the MagicMirror server to internal networks, cloud metadata services, and localhost services. Additionally, the endpoint expands environment variable placeholders, enabling the exfiltration of server-side secrets such as API keys and database credentials.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services, cloud metadata, and environment variables containing sensitive information.

Reproduction

To reproduce this vulnerability, send a GET request to the '/cors' endpoint with a URL parameter pointing to an internal service or a cloud metadata URL. The server will fetch the URL and return the response, effectively acting as a proxy. To exfiltrate environment variables, include a placeholder in the URL parameter that corresponds to a secret variable name.

Remediation

Users are advised to update MagicMirror to version 2.36.0 or later.